Data Erasure – The End of the Data Lifecycle
In last week’s blog we discussed data encryption and data security. Encryption is just one area of data security and data security rolls up into the larger category of data management. What do you think about when you hear the term “data management?” Does the word “security” come to mind? Maybe you think of BIG data. How many of you think of end of life data and data erasure? Data management encompasses the entire lifecycle of data - from creation to disposal.
The question of the day is “How are you disposing of your data and are you 100% certain it is secure?” Corporate IT managers all over the world ask themselves this on a regular basis.
Types of Data Erasure
There are several methods to dispose of data. Let’s start with the quick and easy one: physical destruction of the media. If you are not planning on reusing or reselling the media, you can physically destroy it. It might be entertaining to drill, melt or take a hammer to a drive, but there are better, more secure ways of destruction. If your media is a traditional HDD or tape, an effective, secure method of destruction is using a degausser. A degausser generates a magnetic field or wave that when applying to the media, it effectively destroys the magnetic domains for data storage.
If you have an SSD/Flash drive, shredding it is the way to go. You want to make sure that the particle size of the shredder is small enough to destroy the chips inside the SSD. There are services that shred and recycle both HDD and SDD drives, just be sure to verify their process before hiring. A couple things to consider are:
- On-site vs. Shipping. On-site shredding may have a little higher cost, but you will not have to secure and ship your media. If you ship your media to the recycler’s location. Make sure the media is secure/encrypted before shipping.
- Particle size. When shredding SSDs, particle size matters. You want to make sure they are shredded fine enough to destroy all the chips inside.
Physical destruction is very effective if you do not intend to reuse or resell the media. For a corporate IT manager, this adds costs to disposing of data. You have the costs of the physical destruction, possibly including secure shipping costs and often times; there is a cost to replace the media that was just destroyed. So what are some options that will allow you to reuse your media?
Formatting a drive by using the OS prepares the drive for storing data and can erase all data on the disk. We say “can” because there are a couple different options when performing a format disk. If you want to completely sanitize your hard drive, you need to select full format and make sure the OS is specifically designed to pattern fill the drives when choosing the full format option (older OS versions may not pattern fill the drive even when full format is selected). This will effectively overwrite all of the data on the drive making it safe to re-use or re-sell. This method is effective, but it is time-consuming. It’s probably ok for a home user who only has one or two drives to erase, but if it is a corporate IT manager trying to erase 10 to 100 drives, it is probably not worth the time.
Have you ever seen the instructions on how to completely erase pencil? You erase, scribble (write) completely over it and erase again. The same principle applies to data except you don’t have to erase it; the writing of new data to the same block does that for you. You can intentionally, or unintentionally, write a set of data over your current data making it unrecoverable. This process of overwriting works well with a traditional HDD. When it comes to SSD and Flash media, it is less reliable due to the complexity of SSD media and the way the erasure software interfaces with the drive, overwriting can potentially miss blocks of user data. This method of sanitizing media is usually achieved with erasure software. There are many different types of erasure software on the market right now. Some are 100% effective at sanitizing media and some are not. Key things to look for when purchasing erasure software:
- Does it erase my type of media? As you probably know, an SSD is very different from a standard hard drive and both of those are different than a mobile device. You need the right tool for the task.
- Do they offer a certificate of erasure? Are they willing to put their product’s effectiveness in writing?
- Will it erase the quantity of drives/media needed in a timely manner? If you are an IT manager in a corporate setting, this is probably an important question for you. Especially when you open up that closet of media that has reached the end of life or archive expiration date.
- Does the software company also offer a service with the software? Some companies will erase onsite at your location. This minimizes risk and time in the deletion process. Very helpful when you have a large amount of media.
The rise of data encryption on devices, also offers us another way to erase data called crypto erase. It does not matter if it is a self-encrypting drive or a drive with software encryption, it works on both. The basic method is quick and simple. First, you make sure your data has an encryption and then you overwrite and delete the key. Those blocks of data are now accessible and they will eventually will experience overwriting when reusing the drive.
Once you choose your weapon of data destruction, how do you know that it is completely erased? If you are a corporate IT manager who has to answer to the powers that be, how do you prove that your erasure methods are 100% successful? What would happen if your company’s data that you thought was erased ended up in someone else’s hands? Are we giving you an ulcer yet? These are the questions that a corporate IT manage should be concerned about.